There are different authentication schemes in computer security that perform user authentication in client-server communication. A traditional scheme, which is usually used by a user to log in to the server, is based on security credentials provided by the user, e.g., a password or a fingerprint. Another scheme active biometric authentication, which is the subject of the present invention, is used during a long session of client-server communication, which starts when a user logs in to the server and ends when he logs out. During a long session, a series of user authentications is done to make sure that the same user is in control of the client during the entire session. This scheme does not require any intended actions from a user; user authentications are performed seamlessly, without interruptions of user activity.
To perform a series of user authentications, the server generates authentication requests. On each request, the server creates and sends a request key to the client. Specific biometric information of a user is being collected in background on the client during an entire session. In reply to a server request, the client uses this biometric information to create a response key to the server. The server verifies the user based on the received response key.
The main problems of biometric authentication are the security of the communications and risk for the privacy of a user.
U.S. Pat. No. 6,487,662 provides biometric system for biometric input, authentication and access control in client-server communications. The system is based on optical scanner embedded into the computer mouse, which allows scanning a thumb of the user. This system cannot be used for active biometrical authentication because in order to input biometric data, a user has to perform a series of actions. Another disadvantage of the method is that reference fingerprints are saved in a data base, which puts privacy of a user under the risk.
The privacy can be protected by bio encryption methods [Yevgeniy Dodis, Rafail Ostrovsky, Leonid Reyzin, Adam Smith. 2008. Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data, SIAM Journal Computing, 38, 1 (January 2008), 97-139. http://www.cs.bu.edu/˜reyzin/fuzzy.html]. These methods are based on using representation templates saved in special data bases. This approach implies a small but non-zero privacy leakage. Moreover, if a hacker gets access both to the templates and to the encryption algorithms, he can break the system [Ann Cavoukian, Alex Stoianov. 2007. Biometric Encryption: A Positive-Sum Technology that Achieves Strong Authentication, Security AND Privacy. Discussion paper of the Office of the Information and Privacy Commissioner of Ontario, 2007. http://www.ipc.on.ca/images/Resources/bio-encryp.pdf].
Besides protection of representation templates by means of cryptography, it is possible to protect templates by intentionally distorting biometric data [U.S. Pat. No. 6,836,554]. Such feature transformation methods have difficulties in theoretical analysis related to closeness of biometric records and problems of irreversibility and unlinkability of transformations [Manabu Inuma, Akira Otsuka. 2013. Relations among Security Metrics for Template Protection Algorithms. arXiv:1212.4195 v2 [cs.CR]. Cornell University Library. http://arxiv.org/pdf/1212.4195.pdf].
In U.S. patent application Ser. No. 13/936,190 a method of active biometrical authentication with zero privacy leak and high level of security of communications is proposed. The method is based on standard equipment—laptop with webcam and microphone—and on processing of facial images. The drawback of using facial images is that the results depend on illumination of the face in great degree; besides, the face can be turned under significant angle or blocked by hands during the session. These factors complicate the process of the authentication.